Support for NTLM authentication added (#109)

* Support for NTLM authentication added To support NTLM authentication, a database is added as an authentication source. Currently, only the configuration file is supported as a database. Database authentication supports Basic and NTLM authentication protcols. ServerConfig.BasicAuthEnabled renamed to LocalEnabled as Basic auth can be used with NTLM or Local.
2026-03-27 22:46:37 +00:00 · 2024-04-24 14:12:41 +02:00
parent 7472c7b2c1
commit 372dc43ef2
16 changed files with 947 additions and 64 deletions
--- a/cmd/auth/auth.go
+++ b/cmd/auth/auth.go
@@ -4,6 +4,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/config"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/database"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/ntlm"
 	"github.com/bolkedebruin/rdpgw/shared/auth"
 	"github.com/msteinert/pam/v2"
 	"github.com/thought-machine/go-flags"
@@ -21,16 +24,24 @@ const (
 var opts struct {
 	ServiceName string `short:"n" long:"name" default:"rdpgw" description:"the PAM service name to use"`
 	SocketAddr  string `short:"s" long:"socket" default:"/tmp/rdpgw-auth.sock" description:"the location of the socket"`
+	ConfigFile string `short:"c" long:"conf" default:"rdpgw-auth.yaml" description:"users config file for NTLM (yaml)"`
 }

 type AuthServiceImpl struct {
+	auth.UnimplementedAuthenticateServer
+
 	serviceName string
+	ntlm *ntlm.NTLMAuth
 }

+var conf config.Configuration
 var _ auth.AuthenticateServer = (*AuthServiceImpl)(nil)

-func NewAuthService(serviceName string) auth.AuthenticateServer {
-	s := &AuthServiceImpl{serviceName: serviceName}
+func NewAuthService(serviceName string, database database.Database) auth.AuthenticateServer {
+	s := &AuthServiceImpl{
+		serviceName: serviceName,
+		ntlm: ntlm.NewNTLMAuth(database),
+	}
 	return s
 }

@@ -77,12 +88,35 @@ func (s *AuthServiceImpl) Authenticate(ctx context.Context, message *auth.UserPa
 	return r, nil
 }

+func (s *AuthServiceImpl) NTLM(ctx context.Context, message *auth.NtlmRequest) (*auth.NtlmResponse, error) {
+	r, err := s.ntlm.Authenticate(message)
+
+	if err != nil {
+		log.Printf("[%s] NTLM failed: %s", message.Session, err)
+	} else if r.Authenticated {
+		log.Printf("[%s] User: %s authenticated using NTLM", message.Session, r.Username)
+	} else if r.NtlmMessage != "" {
+		log.Printf("[%s] Sending NTLM challenge", message.Session)
+	}
+
+	return r, err
+}
+
 func main() {
 	_, err := flags.Parse(&opts)
 	if err != nil {
-		panic(err)
+		var fErr *flags.Error
+		if errors.As(err, &fErr) {
+			if fErr.Type == flags.ErrHelp {
+				fmt.Printf("Acknowledgements:\n")
+				fmt.Printf(" - This product includes software developed by the Thomson Reuters Global Resources. (go-ntlm - https://github.com/m7913d/go-ntlm - BSD-4 License)\n")
+			}
+		}
+		return
 	}

+	conf = config.Load(opts.ConfigFile)
+
 	log.Printf("Starting auth server on %s", opts.SocketAddr)
 	cleanup := func() {
 		if _, err := os.Stat(opts.SocketAddr); err == nil {
@@ -100,7 +134,8 @@ func main() {
 		log.Fatal(err)
 	}
 	server := grpc.NewServer()
-	service := NewAuthService(opts.ServiceName)
+	db := database.NewConfig(conf.Users)
+	service := NewAuthService(opts.ServiceName, db)
 	auth.RegisterAuthenticateServer(server, service)
 	server.Serve(listener)
 }
--- a/cmd/auth/config/configuration.go
+++ b/cmd/auth/config/configuration.go
@@ -0,0 +1,42 @@
+package config
+
+import (
+	"github.com/knadh/koanf/parsers/yaml"
+	"github.com/knadh/koanf/providers/confmap"
+	"github.com/knadh/koanf/providers/file"
+	"github.com/knadh/koanf/v2"
+	"log"
+	"os"
+)
+
+type Configuration struct {
+	Users    []UserConfig   `koanf:"users"`
+}
+
+type UserConfig struct {
+	Username             string   `koanf:"username"`
+	Password             string   `koanf:"password"`
+}
+
+var Conf Configuration
+
+func Load(configFile string) Configuration {
+
+	var k = koanf.New(".")
+
+	k.Load(confmap.Provider(map[string]interface{}{}, "."), nil)
+
+	if _, err := os.Stat(configFile); os.IsNotExist(err) {
+		log.Printf("Config file %s not found, skipping config file", configFile)
+	} else {
+		if err := k.Load(file.Provider(configFile), yaml.Parser()); err != nil {
+			log.Fatalf("Error loading config from file: %v", err)
+		}
+	}
+
+	koanfTag := koanf.UnmarshalConf{Tag: "koanf"}
+	k.UnmarshalWithConf("Users", &Conf.Users, koanfTag)
+
+	return Conf
+
+}
--- a/cmd/auth/database/config.go
+++ b/cmd/auth/database/config.go
@@ -0,0 +1,25 @@
+package database
+
+import (
+	"github.com/bolkedebruin/rdpgw/cmd/auth/config"
+)
+
+type Config struct {
+	users map[string]config.UserConfig
+}
+
+func NewConfig(users []config.UserConfig) *Config {
+        usersMap := map[string]config.UserConfig{}
+                
+        for _, user := range users {
+                usersMap[user.Username] = user
+        }
+        
+	return &Config{
+		users: usersMap,
+	}
+}
+
+func (c *Config) GetPassword (username string) string {
+        return c.users[username].Password
+}
--- a/cmd/auth/database/config_test.go
+++ b/cmd/auth/database/config_test.go
@@ -0,0 +1,43 @@
+package database
+
+import (
+	"github.com/bolkedebruin/rdpgw/cmd/auth/config"
+	"testing"
+)
+
+func createTestDatabase () (Database) {
+	var users = []config.UserConfig{}
+
+	user1 := config.UserConfig{}
+	user1.Username = "my_username"
+	user1.Password = "my_password"
+	users = append(users, user1)
+
+	user2 := config.UserConfig{}
+	user2.Username = "my_username2"
+	user2.Password = "my_password2"
+	users = append(users, user2)
+
+	config := NewConfig(users)
+
+	return config
+}
+
+func TestDatabaseConfigValidUsername(t *testing.T) {
+	database := createTestDatabase()
+
+	if database.GetPassword("my_username") != "my_password" {
+		t.Fatalf("Wrong password returned")
+	}
+	if database.GetPassword("my_username2") != "my_password2" {
+		t.Fatalf("Wrong password returned")
+	}
+}
+
+func TestDatabaseInvalidUsername(t *testing.T) {
+	database := createTestDatabase()
+
+	if database.GetPassword("my_invalid_username") != "" {
+		t.Fatalf("Non empty password returned for invalid username")
+	}
+}
--- a/cmd/auth/database/database.go
+++ b/cmd/auth/database/database.go
@@ -0,0 +1,5 @@
+package database
+
+type Database interface {
+        GetPassword (username string) string
+}
--- a/cmd/auth/ntlm/ntlm.go
+++ b/cmd/auth/ntlm/ntlm.go
@@ -0,0 +1,160 @@
+package ntlm
+
+import (
+        "encoding/base64"
+        "errors"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/database"
+	"github.com/bolkedebruin/rdpgw/shared/auth"
+        "github.com/patrickmn/go-cache"
+        "github.com/m7913d/go-ntlm/ntlm"
+	"fmt"
+	"log"
+        "time"
+)
+
+const (
+        cacheExpiration = time.Minute
+        cleanupInterval = time.Minute * 5
+)
+
+type NTLMAuth struct {
+        contextCache *cache.Cache
+        
+        // Information about the server, returned to the client during authentication
+        ServerName string // e.g. EXAMPLE1
+        DomainName string // e.g. EXAMPLE
+        DnsServerName string // e.g. example1.example.com
+        DnsDomainName string // e.g. example.com
+        DnsTreeName string // e.g. example.com
+        
+        Database database.Database
+}
+
+func NewNTLMAuth (database database.Database) (*NTLMAuth) {
+	return &NTLMAuth{
+                contextCache: cache.New(cacheExpiration, cleanupInterval),
+                Database: database,
+        }
+}
+
+func (h *NTLMAuth) Authenticate(message *auth.NtlmRequest) (*auth.NtlmResponse, error) {
+	r := &auth.NtlmResponse{}
+	r.Authenticated = false
+
+	if message.Session == "" {
+		return r, errors.New("Invalid (empty) session specified")
+	}
+
+	if message.NtlmMessage == "" {
+		return r, errors.New("Empty NTLM message specified")
+	}
+
+	c := h.getContext(message.Session)
+	err := c.Authenticate(message.NtlmMessage, r)
+
+	if err != nil || r.Authenticated {
+		h.removeContext(message.Session)
+	}
+
+	return r, err
+}
+
+func (h *NTLMAuth) getContext (session string) (*ntlmContext) {
+	if c_, found := h.contextCache.Get(session); found {
+                if c, ok := c_.(*ntlmContext); ok {
+                        return c
+                }
+        }
+        c := new(ntlmContext)
+        c.h = h
+	h.contextCache.Set(session, c, cache.DefaultExpiration)
+        return c
+}
+
+func (h *NTLMAuth) removeContext (session string) {
+	h.contextCache.Delete(session)
+}
+
+type ntlmContext struct {
+        session ntlm.ServerSession
+	h *NTLMAuth
+}
+
+func (c *ntlmContext) Authenticate(authorisationEncoded string, r *auth.NtlmResponse) (error) {
+        authorisation, err := base64.StdEncoding.DecodeString(authorisationEncoded)
+        if err != nil {
+		return errors.New(fmt.Sprintf("Failed to decode NTLM Authorisation header: %s", err))
+        }
+
+        nm, err := ntlm.ParseNegotiateMessage(authorisation)
+        if err == nil {
+		return c.negotiate(nm, r)
+        }
+        if (nm != nil && nm.MessageType == 1) {
+		return errors.New(fmt.Sprintf("Failed to parse NTLM Authorisation header: %s", err))
+        } else if c.session == nil {
+		return errors.New(fmt.Sprintf("New NTLM auth sequence should start with negotioate request"))
+        }
+
+        am, err := ntlm.ParseAuthenticateMessage(authorisation, 2)
+        if err == nil {
+		return c.authenticate(am, r)
+        }
+
+	return errors.New(fmt.Sprintf("Failed to parse NTLM Authorisation header: %s", err))
+}
+
+func (c *ntlmContext) negotiate(nm *ntlm.NegotiateMessage, r *auth.NtlmResponse) (error) {
+        session, err := ntlm.CreateServerSession(ntlm.Version2, ntlm.ConnectionOrientedMode)
+
+        if err != nil {
+                c.session = nil;
+		return errors.New(fmt.Sprintf("Failed to create NTLM server session: %s", err))
+        }
+
+        c.session = session
+	c.session.SetRequireNtHash(true)
+        c.session.SetDomainName(c.h.DomainName)
+        c.session.SetComputerName(c.h.ServerName)
+        c.session.SetDnsDomainName(c.h.DnsDomainName)
+        c.session.SetDnsComputerName(c.h.DnsServerName)
+        c.session.SetDnsTreeName(c.h.DnsTreeName)
+
+        err = c.session.ProcessNegotiateMessage(nm)
+        if err != nil {
+		return errors.New(fmt.Sprintf("Failed to process NTLM negotiate message: %s", err))
+        }
+
+        cm, err := c.session.GenerateChallengeMessage()
+        if err != nil {
+		return errors.New(fmt.Sprintf("Failed to generate NTLM challenge message: %s", err))
+	}
+
+	r.NtlmMessage = base64.StdEncoding.EncodeToString(cm.Bytes())
+	return nil
+}
+
+func (c *ntlmContext) authenticate(am *ntlm.AuthenticateMessage, r *auth.NtlmResponse) (error) {
+        if c.session == nil {
+		return errors.New(fmt.Sprintf("NTLM Authenticate requires active session: first call negotioate"))
+        }
+        
+        username := am.UserName.String()
+        password := c.h.Database.GetPassword (username)
+        if password == "" {
+		log.Printf("NTLM: unknown username specified: %s", username)
+		return nil
+        }
+        
+        c.session.SetUserInfo(username,password,"")
+
+        err := c.session.ProcessAuthenticateMessage(am)
+        if err != nil {
+		log.Printf("Failed to process NTLM authenticate message: %s", err)
+		return nil
+        }
+
+	r.Authenticated = true
+	r.Username = username
+	return nil
+}
--- a/cmd/auth/ntlm/ntlm_test.go
+++ b/cmd/auth/ntlm/ntlm_test.go
@@ -0,0 +1,168 @@
+package ntlm
+
+import (
+	"encoding/base64"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/config"
+	"github.com/bolkedebruin/rdpgw/cmd/auth/database"
+	"github.com/bolkedebruin/rdpgw/shared/auth"
+	"github.com/m7913d/go-ntlm/ntlm"
+	"testing"
+	"log"
+)
+
+func createTestDatabase () (database.Database) {
+	user := config.UserConfig{}
+	user.Username = "my_username"
+	user.Password = "my_password"
+
+	var users = []config.UserConfig{}
+	users = append(users, user)
+
+	config := database.NewConfig(users)
+
+	return config
+}
+
+func TestNtlmValidCredentials(t *testing.T) {
+	client := ntlm.V2ClientSession{}
+	client.SetUserInfo("my_username", "my_password", "")
+
+	authenticateResponse := authenticate(t, &client)
+	if !authenticateResponse.Authenticated {
+		t.Errorf("Failed to authenticate")
+		return
+	}
+	if authenticateResponse.Username != "my_username" {
+		t.Errorf("Wrong username returned")
+		return
+	}
+}
+
+func TestNtlmInvalidPassword(t *testing.T) {
+	client := ntlm.V2ClientSession{}
+	client.SetUserInfo("my_username", "my_invalid_password", "")
+
+	authenticateResponse := authenticate(t, &client)
+	if authenticateResponse.Authenticated {
+		t.Errorf("Authenticated with wrong password")
+		return
+	}
+	if authenticateResponse.Username != "" {
+		t.Errorf("If authentication failed, no username should be returned")
+		return
+	}
+}
+
+func TestNtlmInvalidUsername(t *testing.T) {
+	client := ntlm.V2ClientSession{}
+	client.SetUserInfo("my_invalid_username", "my_password", "")
+
+	authenticateResponse := authenticate(t, &client)
+	if authenticateResponse.Authenticated {
+		t.Errorf("Authenticated with wrong password")
+		return
+	}
+	if authenticateResponse.Username != "" {
+		t.Errorf("If authentication failed, no username should be returned")
+		return
+	}
+}
+
+func authenticate(t *testing.T, client *ntlm.V2ClientSession) (*auth.NtlmResponse) {
+	session := "X"
+	database := createTestDatabase()
+
+	server := NewNTLMAuth(database)
+
+	negotiate, err := client.GenerateNegotiateMessage()
+	if err != nil {
+		t.Errorf("Could not generate negotiate message: %s", err)
+		return nil
+	}
+
+	negotiateRequest := &auth.NtlmRequest{}
+	negotiateRequest.Session = session
+	negotiateRequest.NtlmMessage = base64.StdEncoding.EncodeToString(negotiate.Bytes())
+	negotiateResponse, err := server.Authenticate(negotiateRequest)
+	if err != nil {
+		t.Errorf("Could not generate challenge message: %s", err)
+		return nil
+	}
+	if negotiateResponse.Authenticated {
+		t.Errorf("User should not be authenticated by after negotiate message")
+		return nil
+	}
+	if negotiateResponse.NtlmMessage == "" {
+		t.Errorf("Could not generate challenge message")
+		return nil
+	}
+
+	decodedChallenge, err := base64.StdEncoding.DecodeString(negotiateResponse.NtlmMessage)
+	if err != nil {
+		t.Errorf("Challenge should be base64 encoded: %s", err)
+		return nil
+	}
+
+	challenge, err := ntlm.ParseChallengeMessage(decodedChallenge)
+	if err != nil {
+		t.Errorf("Invalid challenge message generated: %s", err)
+		return nil
+	}
+
+	client.ProcessChallengeMessage(challenge)
+	authenticate, err := client.GenerateAuthenticateMessage()
+	if err != nil {
+		t.Errorf("Could not generate authenticate message: %s", err)
+		return nil
+	}
+
+	authenticateRequest := &auth.NtlmRequest{}
+	authenticateRequest.Session = session
+	authenticateRequest.NtlmMessage = base64.StdEncoding.EncodeToString(authenticate.Bytes())
+	authenticateResponse, err := server.Authenticate(authenticateRequest)
+	if err != nil {
+		t.Errorf("Could not parse authenticate message: %s", err)
+		return authenticateResponse
+	}
+	if authenticateResponse.NtlmMessage != "" {
+		t.Errorf("Authenticate request should not generate a new NTLM message")
+		return authenticateResponse
+	}
+	return authenticateResponse
+}
+
+func TestInvalidBase64 (t *testing.T) {
+	testInvalidDataBase(t, "X", "X") // not valid base64
+}
+
+func TestInvalidData (t *testing.T) {
+	testInvalidDataBase(t, "X", "XXXX") // valid base64
+}
+
+func TestInvalidDataEmptyMessage (t *testing.T) {
+	testInvalidDataBase(t, "X", "")
+}
+
+func TestEmptySession (t *testing.T) {
+	testInvalidDataBase(t, "", "XXXX")
+}
+
+func testInvalidDataBase (t *testing.T, session string, data string) {
+	database := createTestDatabase()
+	server := NewNTLMAuth(database)
+
+	request := &auth.NtlmRequest{}
+	request.Session = session
+	request.NtlmMessage = data
+	response, err := server.Authenticate(request)
+	log.Printf("%s",err)
+	if err == nil {
+		t.Errorf("Invalid request should return an error")
+	}
+	if response.Authenticated {
+		t.Errorf("User should not be authenticated using invalid data")
+	}
+	if response.NtlmMessage != "" {
+		t.Errorf("No NTLM message should be generated for invalid data")
+	}
+}
--- a/cmd/rdpgw/config/configuration.go
+++ b/cmd/rdpgw/config/configuration.go
@@ -224,6 +224,10 @@ func Load(configFile string) Configuration {
 	if Conf.Server.BasicAuthEnabled() && Conf.Server.Tls == "disable" {
 		log.Fatalf("basicauth=local and tls=disable are mutually exclusive")
 	}
+        
+	if Conf.Server.NtlmEnabled() && Conf.Server.KerberosEnabled() {
+		log.Fatalf("ntlm and kerberos authentication are not stackable")
+        }

 	if !Conf.Caps.TokenAuth && Conf.Server.OpenIDEnabled() {
 		log.Fatalf("openid is configured but tokenauth disabled")
@@ -254,6 +258,10 @@ func (s *ServerConfig) BasicAuthEnabled() bool {
 	return s.matchAuth("local") || s.matchAuth("basic")
 }

+func (s *ServerConfig) NtlmEnabled() bool {
+	return s.matchAuth("ntlm")
+}
+
 func (s *ServerConfig) matchAuth(needle string) bool {
 	for _, q := range s.Authentication {
 		if q == needle {
--- a/cmd/rdpgw/main.go
+++ b/cmd/rdpgw/main.go
@@ -221,7 +221,7 @@ func main() {
 		r.HandleFunc("/callback", o.HandleCallback)

 		// only enable un-auth endpoint for openid only config
-		if !conf.Server.KerberosEnabled() || !conf.Server.BasicAuthEnabled() {
+		if !conf.Server.KerberosEnabled() && !conf.Server.BasicAuthEnabled() && !conf.Server.NtlmEnabled() {
 			rdp.Name("gw").HandlerFunc(gw.HandleGatewayProtocol)
 		}
 	}
@@ -229,6 +229,16 @@ func main() {
 	// for stacking of authentication
 	auth := web.NewAuthMux()
 	rdp.MatcherFunc(web.NoAuthz).HandlerFunc(auth.SetAuthenticate)
+        
+	// ntlm
+	if conf.Server.NtlmEnabled() {
+		log.Printf("enabling NTLM authentication")
+		ntlm := web.NTLMAuthHandler{SocketAddress: conf.Server.AuthSocket, Timeout: conf.Server.BasicAuthTimeout}
+		rdp.NewRoute().HeadersRegexp("Authorization", "NTLM").HandlerFunc(ntlm.NTLMAuth(gw.HandleGatewayProtocol))
+		rdp.NewRoute().HeadersRegexp("Authorization", "Negotiate").HandlerFunc(ntlm.NTLMAuth(gw.HandleGatewayProtocol))
+		auth.Register(`NTLM`)
+		auth.Register(`Negotiate`)
+        }

 	// basic auth
 	if conf.Server.BasicAuthEnabled() {
--- a/cmd/rdpgw/web/basic.go
+++ b/cmd/rdpgw/web/basic.go
@@ -25,32 +25,9 @@ func (h *BasicAuthHandler) BasicAuth(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		username, password, ok := r.BasicAuth()
 		if ok {
-			ctx := r.Context()
+			authenticated := h.authenticate(w, r, username, password)

-			conn, err := grpc.Dial(h.SocketAddress, grpc.WithTransportCredentials(insecure.NewCredentials()),
-				grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
-					return net.Dial(protocolGrpc, addr)
-				}))
-			if err != nil {
-				log.Printf("Cannot reach authentication provider: %s", err)
-				http.Error(w, "Server error", http.StatusInternalServerError)
-				return
-			}
-			defer conn.Close()
-
-			c := auth.NewAuthenticateClient(conn)
-			ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(h.Timeout))
-			defer cancel()
-
-			req := &auth.UserPass{Username: username, Password: password}
-			res, err := c.Authenticate(ctx, req)
-			if err != nil {
-				log.Printf("Error talking to authentication provider: %s", err)
-				http.Error(w, "Server error", http.StatusInternalServerError)
-				return
-			}
-
-			if !res.Authenticated {
+			if !authenticated {
 				log.Printf("User %s is not authenticated for this service", username)
 			} else {
 				log.Printf("User %s authenticated", username)
@@ -61,7 +38,6 @@ func (h *BasicAuthHandler) BasicAuth(next http.HandlerFunc) http.HandlerFunc {
 				next.ServeHTTP(w, identity.AddToRequestCtx(id, r))
 				return
 			}
-
 		}
 		// If the Authentication header is not present, is invalid, or the
 		// username or password is wrong, then set a WWW-Authenticate
@@ -71,3 +47,36 @@ func (h *BasicAuthHandler) BasicAuth(next http.HandlerFunc) http.HandlerFunc {
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 	}
 }
+
+func (h *BasicAuthHandler) authenticate(w http.ResponseWriter, r *http.Request, username string, password string) (authenticated bool) {
+        if h.SocketAddress == "" {
+                return false
+        }
+
+        ctx := r.Context()
+        
+        conn, err := grpc.Dial(h.SocketAddress, grpc.WithTransportCredentials(insecure.NewCredentials()),
+                grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+                        return net.Dial(protocolGrpc, addr)
+                }))
+        if err != nil {
+                log.Printf("Cannot reach authentication provider: %s", err)
+                http.Error(w, "Server error", http.StatusInternalServerError)
+                return false
+        }
+        defer conn.Close()
+        
+        c := auth.NewAuthenticateClient(conn)
+        ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(h.Timeout))
+        defer cancel()
+        
+        req := &auth.UserPass{Username: username, Password: password}
+        res, err := c.Authenticate(ctx, req)
+        if err != nil {
+                log.Printf("Error talking to authentication provider: %s", err)
+                http.Error(w, "Server error", http.StatusInternalServerError)
+                return false
+        }
+        
+        return res.Authenticated
+}
--- a/cmd/rdpgw/web/ntlm.go
+++ b/cmd/rdpgw/web/ntlm.go
@@ -0,0 +1,120 @@
+package web
+
+import (
+	"context"
+        "errors"
+        "github.com/bolkedebruin/rdpgw/cmd/rdpgw/identity"
+	"github.com/bolkedebruin/rdpgw/shared/auth"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+        "log"
+	"net"
+        "net/http"
+        "time"
+)
+
+type ntlmAuthMode uint32
+const (
+        authNone ntlmAuthMode = iota
+        authNTLM
+        authNegotiate
+)
+
+type NTLMAuthHandler struct {
+	SocketAddress string
+	Timeout       int
+}
+
+func (h *NTLMAuthHandler) NTLMAuth(next http.HandlerFunc) http.HandlerFunc {
+        return func(w http.ResponseWriter, r *http.Request) {
+		authPayload, authMode, err := h.getAuthPayload(r)
+                if err != nil {
+                        log.Printf("Failed parsing auth header: %s", err)
+			h.requestAuthenticate(w)
+                        return
+		}
+
+		authenticated, username := h.authenticate(w, r, authPayload, authMode)
+
+		if authenticated {
+			log.Printf("NTLM: User %s authenticated", username)
+			id := identity.FromRequestCtx(r)
+			id.SetUserName(username)
+			id.SetAuthenticated(true)
+			id.SetAuthTime(time.Now())
+			next.ServeHTTP(w, identity.AddToRequestCtx(id, r))
+		}
+        }
+}
+
+func (h *NTLMAuthHandler) getAuthPayload (r *http.Request) (payload string, authMode ntlmAuthMode, err error) {
+	authorisationEncoded := r.Header.Get("Authorization")
+	if authorisationEncoded[0:5] == "NTLM " {
+		return authorisationEncoded[5:], authNTLM, nil
+	}
+	if authorisationEncoded[0:10] == "Negotiate " {
+		return authorisationEncoded[10:], authNegotiate, nil
+	}
+	return "", authNone, errors.New("Invalid NTLM Authorisation header")
+}
+
+func (h *NTLMAuthHandler) requestAuthenticate (w http.ResponseWriter) {
+	w.Header().Add("WWW-Authenticate", `NTLM`)
+	w.Header().Add("WWW-Authenticate", `Negotiate`)
+	http.Error(w, "Unauthorized", http.StatusUnauthorized)
+}
+
+func (h *NTLMAuthHandler) getAuthPrefix (authMode ntlmAuthMode) (prefix string) {
+	if authMode == authNTLM {
+		return "NTLM "
+	}
+	if authMode == authNegotiate {
+		return "Negotiate "
+	}
+	return ""
+}
+
+func (h *NTLMAuthHandler) authenticate(w http.ResponseWriter, r *http.Request, authorisationEncoded string, authMode ntlmAuthMode) (authenticated bool, username string) {
+	if h.SocketAddress == "" {
+		return false, ""
+	}
+
+	ctx := r.Context()
+
+	conn, err := grpc.Dial(h.SocketAddress, grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+			return net.Dial(protocolGrpc, addr)
+		}))
+	if err != nil {
+		log.Printf("Cannot reach authentication provider: %s", err)
+		http.Error(w, "Server error", http.StatusInternalServerError)
+		return false, ""
+	}
+	defer conn.Close()
+
+	c := auth.NewAuthenticateClient(conn)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*time.Duration(h.Timeout))
+	defer cancel()
+
+	req := &auth.NtlmRequest{Session: r.RemoteAddr, NtlmMessage: authorisationEncoded}
+	res, err := c.NTLM(ctx, req)
+	if err != nil {
+		log.Printf("Error talking to authentication provider: %s", err)
+		http.Error(w, "Server error", http.StatusInternalServerError)
+		return false, ""
+	}
+
+	if res.NtlmMessage != "" {
+		log.Printf("Sending NTLM challenge")
+		w.Header().Add("WWW-Authenticate", h.getAuthPrefix(authMode)+res.NtlmMessage)
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return false, ""
+	}
+
+	if !res.Authenticated {
+		h.requestAuthenticate(w)
+		return false, ""
+	}
+
+	return res.Authenticated, res.Username
+}